Applies To:

BIG-IQ Cloud

About Amazon Web Services (AWS) integration

BIG-IQ Cloud provides you with the tools to manage Amazon EC2 and
CloudWatch resources required to perform application delivery. Management tasks include
discovering and creating BIG-IP VE virtual machines located in Amazon
Virtual Private Cloud (VPC), application pool servers, and deploying applications. You can use
these features to accommodate application traffic fluctuations by periodically adding and
retracting devices and application servers, as needed. Additionally, you can provide tenants
access to self-deployable iApps through Amazon EC2 integration.

To provide access to these services for Amazon EC2 tenants, you configure communication between
Amazon EC2 products, and BIG-IQ Cloud. Then, you associate a Amazon EC2 cloud connector with a
device, and create a catalog entry for a corresponding Amazon EC2 service profile. The tenants to
whom you give access to the catalog entry see it in their applications panel. From there, they
can use it to self-deploy their own iApps.

Network requirements for AWS integration communication

For proper communication to devices located in an Amazon web service, BIG-IQ Cloud you must configure an outbound self IP address to DNS and NTP, and you must
define a network route between the BIG-IQ Cloud internal VLAN and the public Internet, or the
Amazon web services endpoint. For specific instructions, refer to BIG-IQ System: Licensing and Initial Setup and your Amazon documentation .

Important: This task is optional; you can create a virtual machine without
creating an IAM user account to control access, but it is best practice to use an
IAM account. F5 recommends that you do not use the AWS root account and access
keys. Instead, use IAM to create identities you can more easily manage and
revoke in the case of a security breach.

Tip: When you manually deploy a virtual machine on AWS EC2, you must create
an administrator password in addition to the IAM access keys. If you use the
automated process to deploy a virtual server, only the access keys are required.

For this task, you must create a group and two IAM user accounts. For the most
current instructions for performing these steps, refer to the IAM documentation web
site, http://aws.amazon.com/documentation/iam/.

From https://console.aws.amazon.com/iam, create a group
with aws-full-access (Administrator Access).

Create an AWS-Admin user and add that user to the
aws-full-access group.

Create a BIG-IQ Connector user and add that user to the
aws-full-access group.
For this user, you must download or copy an access key that you use to connect
BIG-IQ Cloud to your AWS account

From the AWS dashboard, set up an account alias.
Note the IAM user login link. For example,
https://my-account-alias.signin.aws.amazon.com/console

Log out of the AWS dashboard as the root user.

Navigate back to the user login link and sign in as the
AWS-Admin user.

You can now create a new Virtual Private Cloud (VPC).

Creating a Virtual Private Cloud

You need an Amazon Virtual Private Cloud (VPC) to deploy the
BIG-IQ Cloud system, because AWS provides only multiple
network interface card (NIC) support for instances that reside within a VPC.

You create a virtual network topology according to your networking needs. The
standard network topology used for BIG-IQ Cloud integration includes three subnets.
These subnets provide virtual private address spaces used to interconnect your
machines and applications. You can use elastic self IP addresses for public internet
accessibility.

For the most current instructions for creating a VPC, refer to the VPC
Documentation web site,
http://aws.amazon.com/documentation/vpc/.

Navigate to https://console.aws.amazon.com/vpc and select
the AWS Region in which you want to manage resources.
For example, Oregon.

From the VPC Wizard's VPC with Public and Private
Subnets option, set the IP CIDR Block to
10.0.0.0/16.

Set the public subnet to 10.0.0.0/24.
This is the management network.

Select an availability zone.
For example, us-west-2c. It is crucial that you use
this availability zone throughout the configuration process. Objects configured
in one zone are not visible within other zones, so they cannot function
together. This availability zone is required when you create a BIG-IQ Cloud
connection.

Set the private subnet to 10.0.1.0/24.
This is the external data network.

Create subnet 10.0.2.0/24.
This is the internal network.

Create a security group named, allow-all-traffic, and
associate it with the VPC you created.
You must use this exact name.

Set the Inbound Rules ALL Traffic Source to
0.0.0.0/0.

Set the Outbound Rules ALL Traffic Destination to
0.0.0.0/0.

Create a Route Table for the external data network to reach the Internet.

Add a route to Destination 0.0.0.0/0 through Target
igw-<xxxx>.

<xxxx> is the Internet Gateway that the VPC Wizard
created automatically.

Allocate two Elastic IP
Addresses.

You now should create a BIG-IQ Cloud connector to associate with this
VCP.

Launching a virtual server with an Amazon Machine Image (AMI)

Before you can complete this task, you need to know the name of your key pair and
the Availability Zone from which it was created.

You launch an EC2 Amazon Machine Image (AMI) so that you can deploy the virtual
machine.

Important: At publication, this task illustrates the Amazon web interface.
However, F5 recommends that you refer to Amazon user documentation for the latest
documentation.

Log in to your account on Amazon Web Services (AWS) marketplace.

In the Search AWS Marketplace bar, type F5 BIG-IQ and
then click GO.
The F5 BIG-IQ Virtual Edition for AWS option is displayed.

Click F5 BIG-IQ Virtual Edition for AWS and then click
CONTINUE.

Tip: You might want to take a moment here to browse the pricing
details to confirm that the region in which you created your security key
pair provides the resources you require. If you determine that the resources
you need are provided in a region other than the one in which you created
your key pair, create a new key pair in the correct region before
proceeding.

Select the software version appropriate for your installation, and then click
the Launch with EC2 button that corresponds to the Region
that provides the resources you plan to use.

Important: The first time you perform this task, you need to accept
the terms of the end user license agreement before you can proceed, so the
Launch with EC2 button reads Accept
Terms and Launch with EC2.

Important: There are a number factors that determine which region
will best suit your requirements. Refer to Amazon user documentation for
additional detail. Bear in mind that the region you choose must match the
region in which you created your security key pair.

The Request Instances Wizard opens.

Select an Instance Type appropriate for your use.

From the Launch Instances list, select
EC2-VPC.

From the Subnet list, select the
10.0.0.0/24 subnet and click
CONTINUE.
The Advanced Instance Options view of the wizard opens.

From the Number of Network Interfaces list, select
2.

Click the horizontal eth1 tab to set values for the
second network interface adapter, and then from the
Subnet list, select the
10.0.1.0/24 subnet and click
CONTINUE
The Storage Device Configuration view of the wizard opens.

In the Value field, type in an intuitive name that
identifies this AMI and click CONTINUE (for example,
BIG-IQ VE <version>).
The Create Key Pair view of the wizard opens.

From Your existing Key Pairs, select the key pair you
created for this AMI and click CONTINUE.
The Configure Firewall view of the wizard opens.

Under Choose one or more of your existing Security Groups, select the
allow-all-traffic security group, and then click
CONTINUE.
The Review view of the wizard opens.

Confirm that all settings are correct, and then click
Launch.
The Launch Instance Wizard displays a message to let you know your
instance is launching.

Click Close.

Your new instance appears in the list of instances when it is fully
launched.

Configuring an EC2 cloud connector

Before you can create an EC2 cloud connector, you must first discover devices in the Amazon EC2
cloud and create an Amazon Identity and Access Management (IAM) user account. If you
want BIG-IQ Cloud to automatically provision additional BIG-IP VE servers and
devices for your tenant when more resources are needed, you must also purchase and
activate a license pool to associate with this connector.

To enable integration between a third-party cloud provider and the BIG-IQ
device, you must configure a cloud connector. A cloud connector is a
resource that identifies the local or virtual environment in which a tenant deploys
applications and, when necessary, adds parameters required by third-party cloud
providers.

Log in to BIG-IQ Cloud with your administrator user name
and password.

Hover over the Connectors header and click the + icon
when it appears.

In the Name and Description
fields, type a name and description.
You can use the name and description to help you organize network resources
into logical groups based on certain criteria, such as the location or
application.

From the Cloud Provider list, select Amazon
EC2.

In the Region Endpoint field, type the entry point
URL.
For example, ec2.us-east-1.amazonaws.com is the region
end point for the Amazon EC2 US East (Northern Virginia) Region. Refer to the
AWS documentation for a list of all regional end points at
http://docs.aws.amazon.com/general/latest/gr/rande.html#ec2_region

In the Key ID and Secret Key
fields, type the credentials of the BIG-IQ-Connector IAM user.
For security purposes, it is important to specify a user that has Amazon EC2
Full Control Access.

In the Availability Zone field, type the location of the
region in which the instances are located.
For example, type us-west-2c for the availability zone
for Oregon state.

In the Virtual Private Cloud field, you may type the
identification for the EC2 Virtual Private Cloud (VCP) network topology inside
the Availability Zone.
This step is optional. If you do not specify the identification for a VCP,
BIG-IQ Cloud uses the first one it discovers in the Availability Zone.

Click the arrow next to Device & Server Provisioning
to display associated options.
The screen refreshes to display the options.

To prompt BIG-IQ Cloud to automatically provision additional BIG-IP VE devices
when more resources are needed for application traffic, for the
Device Elasticity setting, select
Enable.

From the Device License list, select a rate at which you
want Amazon to direct-bill for additional devices, or select a license pool from
which to grant a license.
You must activate a license pool before you can select it.

To automatically prompt BIG-IQ Cloud to provision additional servers when more
resources are needed to manage an influx in application traffic, for the
Server Elasticity setting, select
Enable.

Review the network settings populated when you selected a connector, verifying
that the proper CIDR blocks display for management, external, and
internal.

Click the Save button.

If the system discovered devices, you must expand the device's properties
panel, and provide the device's credentials to finalize the discovery
process.

Review the network settings populated when you selected a connector, verifying
that the proper CIDR blocks display for management, external, and
internal.

You now create a device associated with this EC2 cloud connector.

Creating a BIG-IP VE version 11.5 or later in the Amazon EC2 cloud

After you license and perform the initial configuration for the BIG-IQ system, you
can create devices in the Amazon EC2 cloud. For proper communication, you must configure
a route between each instance to the BIG-IQ system. If you do not specify the required
network communication route between the devices, then creation fails.

Before you perform this task you must first open specific ports
on your EC2 AMI BIG-IQ instance and on any associated EC2 BIG-IP instances. To open
these ports, you need additional security group rules in your
allow-only-ssh-https-ping security group, and you need to
associate these rules with the management interface.

You need to create three rules: two outbound rules for the
BIG-IQ instance, and one inbound rule for the BIG-IP instance.

Group Name

Group Description

Rule Name

Source

Port

allow-only-ssh-https-ping

Allow only SSH, HTTPS, or PING

Outbound SSH

0.0.0.0/0

22 (SSH)

Outbound HTTPS

443 0.0.0.0/0

443 (HTTPS)

Inbound HTTPS

0.0.0.0/0

443 (HTTPS)

To create a BIG-IP VE instance in Amazon EC2 cloud, you associate the EC2 Cloud
connector you configured with that device.

Log in to BIG-IQ Cloud with your administrator user name
and password.

Hover over the Devices header, and click the
+ icon when it appears.

Select the Create a Device option.

From the Cloud Connector list, select the EC2 cloud connector you
created.

From the Device Image list, select the AMI you created
for this device.

Select the Auto Update Framework check box to direct the
BIG-IQ system to perform any required REST framework updates on the BIG-IP
device.
For the BIG-IQ system to properly manage a BIG-IP device, the BIG-IP device
must be running the most recent REST framework. If you do not select the
Auto Update Framework check box before you click the
Add button, a message displays prompting you do
update the framework or cancel the task.

To prompt BIG-IQ Cloud to assign the default user admin and a randomly-selected password, select the Use "admin" check box.

To assign a specific user name and password, deselect the Use "admin" check box.
The screen refreshes to display additional settings.

In the User Name and Password fields, type a user name and password for the user of this devices.

Click the Add button.

BIG-IQ System populates the properties of the device that you added, and
displays the device in the Devices panel.

Creating a BIG-IP VE version 11.3 or 11.4 in the Amazon EC2 cloud

You can perform this task only after you have licensed and
installed the BIG-IQ system and at least one BIG-IP device running version 11.3 or 11.4.

Before you perform this task you must first open specific ports
on your EC2 AMI BIG-IQ instance and on any associated EC2 BIG-IP instances. To open
these ports, you need additional security group rules in your
allow-only-ssh-https-ping security group, and you need to
associate these rules with the management interface.

You need to create three rules: two outbound rules for the
BIG-IQ instance, and one inbound rule for the BIG-IP instance.

Group Name

Group Description

Rule Name

Source

Port

allow-only-ssh-https-ping

Allow only SSH, HTTPS, or PING

Outbound SSH

0.0.0.0/0

22 (SSH)

Outbound HTTPS

443 0.0.0.0/0

443 (HTTPS)

Inbound HTTPS

0.0.0.0/0

443 (HTTPS)

To create a BIG-IP VE version 11.3 or 11.4 instance in Amazon EC2 cloud, you must
update the BIG-IP VE REST framework that supports the required BIG-IQ Cloud
Java-based management services, and then associate the EC2 Cloud connector you
configured with that device.

Warning: When you perform this task, the traffic management interface (TMM) on the
BIG-IP VE restarts. Before you perform this task, verify that no critical
network traffic is targeted to the BIG-IP VE device.

Log in to the BIG-IQ system terminal as the root user.

Establish SSH trust between the BIG-IQ system and the managed BIG-IP
device.ssh-copy-id root@<BIG-IP Management IP
Address>
This step is optional. If you do not establish trust, you will be required to
provide the BIG-IP system's root password multiple times.

Navigate to the folder in which the files reside. cd /usr/lib/dco/packages/upd-adc

Revoke SSH trust between the BIG-IQ system and the managed BIG-IP device. root@<BIG-IP Management IP address>grep -v
'<username>@<computername>' /root/.ssh/authorized_keys >
/tmp/authorized_keys.tmp; mv -f /tmp/authorized_keys.tmp
/root/.ssh/authorized_keys
This step is not required if you did not establish trust in step 2.

Log in to BIG-IQ Cloud with your administrator user name
and password.

In the Device panel, click the gear icon next to the legacy device with a
yellow triangle next to it and displaying the message, Discovery is
incomplete.

In the Admin User Name and Admin
Password fields, type the administrator user name and password
for the managed device.

Select the Auto Update Framework check box to direct the
BIG-IQ system to perform any required REST framework updates on the BIG-IP
device.
For the BIG-IQ system to properly manage a BIG-IP device, the BIG-IP device
must be running the most recent REST framework. If you do not select the
Auto Update Framework check box before you click the
Add button, a message displays prompting you do
update the framework or cancel the task.

Click the Save button.

Important: Before you begin using this BIG-IQ system in
a production capacity, depending on your security policies, you will likely want to
stop using the security group rules that you added as prerequisite to this
task.

Creating a customized application template

Before you can customize an application template for a tenant, you must discover at
least one F5 device that contains iApps templates.

As a cloud provider, you modify iApps templates to customize network settings,
levels of services, and so forth, for tenants. You can create variations of the same
application, offering different types of access (LAN or WAN), or providing a specific
limit of connections.

Note: Once you customize and save an application as a
catalog entry, you cannot modify it.

Hover over the Catalog header, and click the + icon when
it appears.
The panel expands to display the Catalog properties.

In the Name field, type a name for this new
application.

From the Application Type list, select an
application.

Unless you want to restrict this application template to a specific cloud
connector, leave the Cloud Connector setting as
Tenant Selectable so tenants are allowed to select
the appropriate cloud connector when they deploy this application.

If the Application Tiers settings are displayed
(expanded), select the options that match the properties for this application;
otherwise, keep the default settings.

Important: If you must specify the options for these settings,
select the Tenant Editable check box for the virtual
server and pool members.

To allow cloud tenants to specify certificates with SSL encryption when self-deploying applications, select options from the SSL Cert and SSL Key lists.
BIG-IQ Cloud uses these options to provide the appropriate certificate and key
when the tenant self-deploys this application to a
BIG-IP device. These options are not available for all
application templates.

Finish making modifications by specifying the Application Properties and
Customize Application Template variables.
To allow a tenant to modify a particular setting, select the Tenant
Editable check box for that setting. For further details about
template variables and settings, refer to the BIG-IP
iApps Developer's Guide.

Click the Save button.
You can now send the cloud IP addresses to the tenant and use this IP
address range in configuring server tiers and pool members, within certain
application services. The tenant can self-deploy the application from the
catalog.

The customized application displays as an entry in the catalog.

Deploying applications

Before you can deploy and use an application, your cloud service provider must add
you as a user and a tenant, and associate you with at least one cloud
connector.

When a cloud administrator adds you as a cloud tenant user, they contact you with
the details about the resources to which you have access. These resources are provided
to you in the form of an application template. As a cloud tenant user, you can customize
these application templates and deploy them.

Log in to the BIG-IQ Cloud with your tenant user name and password.

Hover over the Applications header, and click the + icon
when it appears.

In the Name field, type a name for this new
application.

From the Application Type list, select an
application.

From the Cloud Connector list, select the cloud
connector associated with where you want to deploy your application.
A cloud connector is a resource that identifies the local or
virtual environment in which a tenant deploys applications and, when necessary,
adds parameters required by third-party cloud providers.

To configure BIG-IQ Cloud to automatically provision additional resources when
traffic to your application increases, select Enable from
the Server Elasticity list and specify the settings for
the server elasticity options that display.
This option is available only for the EC2 connector. For automatic server
provisioning to work, your cloud service provider must have enabled the
Server Elasticity setting for this EC2
connector.

From the Node Image list, select the image from
which to create new application servers when capacity is met and
additional servers are required.

In the Min. # of Servers field, type the minimum
number of application servers you want running at any given time.

In the Max. # of Servers field, type the maximum
number of application servers you want running when additional servers
are required.

From the Monitor By list, select the category
associated with the statistic on which you want to base the threshold
value.

For the When setting, select a specific
statistic, the associated relational operator, and a type a number in
the field for the threshold.
Base the threshold on the maximum amount of traffic a server can
reasonably process for this application to ensure that BIG-IQ Cloud adds
additional resources at the right time.

In the Add Servers field, type the number of
application servers you want BIG-IQ Cloud to add when this threshold is
met.

To define a new SSL certificate and private key for this application, for the
SSL Certificate Options, paste the PEM (CRT or CER)
text representation of the certificate and private key.
The SSL certificate and private key must be unbundled Base64 encoded ASCII
text with PEM header and footer.
This option is not available for all applications.

Alternatively, select the Use Existing option to use a
SSL certificate and private key already stored on the device.

You can further customize this application by specifying an IP address for the
virtual server and adding pool hosts.
If your cloud service provider assigned IP addresses for the Servers, Pool Hosts, and Pool
Members for this application, the addresses display. If these addresses were
specified as not editable, you cannot change them.

When you are finished, click the Deploy button located
at the top of the New Application panel.

You can now use this new application, and any application server associated with
this new application displays in the Server panel.

Setting up tenant access using IAM

You might want your tenants to have access to all or part of the EC2 cloud you are provisioning
so that they are able to configure resources required by their applications. You can
provide full access by simply providing the account information (user name and
password) that you created previously. More typically, you can provide more limited
access by setting up separate user accounts for the tenant, and then configuring the
access for those users as best suits your needs.

Important: If you decide to grant full tenant access to the IAM account,
bear in mind that restricting this account to a single tenant becomes even more
prudent.

The following step-sequence provides an outline of the tasks you perform using the
AWS EC2 user interface. For the most current instructions for performing each of
these tasks, refer to the Amazon Web Services EC2 Management Console web site
https://console.aws.amazon.com/ec2/v2/home.

Log in to the AWS IAM console.

Create a user role to encapsulate relevant permissions for this tenant.
If a user needs to create key pairs, make certain that they have sufficient
permissions.

Configure password policies for this tenant.

Create user accounts and set passwords for this tenant.

Create the user(s).

Specify the IAM AWS Management URL that you will provide to your tenants so
that they can log in to this IAM account and directly manage their
resources.

Viewing activity for cloud resources

Before you can view dynamic cloud resource activity, you must have an EC2 cloud
connector with the Device Elasticity setting enabled.

Viewing activity for dynamic cloud resources gives you insight into how cloud
resources are expanding to address increased traffic to applications.

To view the resource associated with a particular activity, click the activity
located on the Activities panel.
The associated objects are highlighted in the relevant
panels.

To view specific activity details, place your cursor on an activity.
A popup window opens to display further details about the selected
activity.